Flare recently hosted our first Threat Intel Workshop with Senior Threat Intelligence Researcher Tammy Harper. Below are some of the questions Tammy covered in improving threat intelligence collection practices.
1. How does the disruption to Telegram affect threat actors?
After the arrest of Telegram CEO in August 2024, the messaging platform that has been popular with threat actors, has begun to collaborate with law enforcement in an effort to cut down on criminal activities on the app.
Over the last few years, threat actors have shifted their operations from traditional dark web forums so that Telegram serves as a complement or popular alternative. Now that Telegram is working with law enforcement, how does this change the cybercrime landscape?
Malicious actors are seeking out other platforms like Signal, Sessions, Matrix, Simplex, and more, but they do not have the same user experience as Telegram. For example, when comparing Telegram and Signal, Telegram is more community-forum oriented, making it easier for participants to find each other and supports social features, like stickers, that build community. From a malicious actor perspective, the file support capabilities make sharing and storing stolen information easier, too. Meanwhile, a look at Matrix shows that it has a higher potential for honeypotting which can deter threat actors.
There are some other questions on what this change will cause, such as: will Telegram truly increase cooperation with authorities? Will Telegram become a more moderated app? But for now it may be too early to have definite answers.
2. The infrastructure and IoCs you collect, are they often this “noisy”? Often the IoCs collected by our team are clean with no reports found, making it more difficult to detect during the monitoring phase.
Security teams use IoCs in two different ways:
- Threat hunting: looking for specific forensic information or investigating an incident
- Threat intelligence gathering: looking for information on the dark web that can be linked to the organization’s IT infrastructure
When security teams collect IoCs for incident response and forensics, they take a targeted, reactive approach asking questions about:
- What machine was compromised?
- Was information exfiltrated?
- What network(s) did an attacker traverse?
- What vulnerabilities did the attacker exploit?
The IoC data is similarly streamlined, as it more likely focuses on evidence that the teams can observe in or collect from their systems like:
- Abnormal network traffic and activity detected by network monitoring tools
- Suspicious activity on specific computers or systems detected by Endpoint Detect and Response (EDR) tools
- File-based modifications indicating malicious files or malware detected from file-scanning tools
- Anomalous user or entity behavior detected through Identity and Access Management (IAM) or User and Entity Behavior Analytics (UEBA) tools
When collecting dark web threat intelligence for red teaming, security analysts are looking for clues to identify threats proactively. With a broader purpose, the valuable information is more varied and can include:
- Information about attacks targeting specific individuals, organizations, industries, or geographic regions
- Exposed credentials linked to users or organizations, including stealer logs from initial access brokers
- Data about attacks targeting zero day vulnerabilities
- Lists of compromised devices as a part of botnets for sale
In the workshop example, we reviewed a specific log belonging to a threat actor. Since the purpose was proactive identification across a system, all of the information was relevant.
3. How much time do you spend to dwell for each threat hunting?
Gathering threat intelligence during the threat hunting process should be focused around the core question: “So what?”
With the large amount of threat intelligence available from the dark web, security analysts need to take a structured approach to their gathering and analysis so that they can remain productive without falling into rabbit holes.
Actionable threat intelligence collection and analysis distills data into insights that enhance risk management by enabling security teams to implement proactive measures against potential attacks. For every investigation, the primary questions that security analysts should ask include:
- What does this information tell me about the potential damage the attacker can do to my organization?
- How does this information help me understand the likelihood of an attack against my organization?
- How does this information help me allocate resources required to mitigate the risks?
Asking “so what?” might feel harsh, but it helps researchers stay focused on their main goal to ensure they find relevant information that furthers the investigation.
4. How do you determine what, who, and where you will research? Is it in response to an investigation, incident, event or out of your own interest?
Security researchers generally build effective intelligence requirements that ask:
- What information do I need?
- Why do I need this information?
- How will this support decision-making processes?
Integrate the world’s easiest to use and most comprehensive cybercrime database into your security program in 30 minutes.
As they build out their requirements, they should consider these three essential components:
- Subject: What specific area of interest best fits the business objectives?
- Purpose: Why is this information important to the organization’s strategic objectives?
- Justification: How does this requirement contribute to improving cybersecurity efforts in a way that makes it a priority?
At Flare, we follow the same process, triggering investigations based on what customers need. To stay one step ahead of trends, we tailor our research to provide insights about meaningful dark web activities that help improve cybersecurity and strategic business outcomes, like:
- Changes in the ransomware ecosystem, especially as law enforcement activities interrupt large cybercriminal organizations like LockBit
- Ransomware trends,like the move to third extortion tactics where cybercriminals target the people whose data was stolen
- Evolving strategies for commodifying and monetizing attacks, like crowdsourcing a DDoS attack
5. Do you track card leaks as well? How do you map the observed TTPs or IoCs like how do you differentiate between legitimate behavior?
The foundation of threat intelligence gathering and threat hunting are twofold:
- Use as many sources as possible
- Follow the evidence to reduce confirmation bias
Open Source Intelligence (OSINT) is publicly available information that can be categorized as:
- Passive: easily, publicly available, typically on the clear web
- Active: Publicly but less easily available, like infiltrating dark web forums that require special access, permissions, or skills
Security researchers have access to clear web OSINT that includes known:
- Vulnerabilities
- Attack tactics, techniques, and procedures (TTPs)
- Third-party vendor breaches
- Security alerts, like from the Cybersecurity Infrastructure Security Agency (CISA) or the Federal Bureau of Investigation (FBI)
Dark web threat intelligence provides contextual insight into:
- Current illicit activities and trends
- New TTPs
- Attacker motivations
By combining these different data points, security researchers can build profiles around these IPs to determine which ones are likely associated with the observed activities.
6. Do you track card leaks? How are new sources good/validated?
Flare has a built-in capability for tracking card leaks.
At Flare, we review the threat intelligence sources the way a security research team would, by reviewing investigational benefit and value. Some considerations include:
- How many active participants a forum, market, or illicit Telegram channel has
- How many transactions occur across a forum, market, or illicit Telegram channel
- Whether admins or mods are related to other, high profile forums, markets, or illicit Telegram channels
- How recent the latest activity was
- How often other cybercriminals discuss a new forum, market, or illicit Telegram channel
How Flare Can Help
The Flare Threat Exposure Management (TEM) solution empowers organizations to proactively detect, prioritize, and mitigate the types of exposures commonly exploited by threat actors. Our platform automatically scans the clear & dark web and prominent threat actor communities 24/7 to discover unknown events, prioritize risks, and deliver actionable intelligence you can use instantly to improve security.
Flare integrates into your security program in 30 minutes and often replaces several SaaS and open source tools. Learn more by signing up for our free trial.